Knowledge Management

Unix events shows upp in all events

fisk12
Path Finder

I have some different log sources that is being forwarded to a "main spunk server". There are some Linux servers that, and for that i have installed the unix app. For some reason, all the eventtype is showing up in other sources aswell (firewall, wireless controller) events aswell.

like this. for every event.

eventtype=auditd Options|
eventtype=cpu Options|
eventtype=df check df host success Options|
eventtype=hardware Options|
eventtype=interfaces Options|
eventtype=iostat cpu iostat report resource success Options|
eventtype=lastlog Options|
eventtype=lsof file lsof report resource success Options|
eventtype=netstat cpu netstat os report success Options|
eventtype=openPorts Options|
eventtype=package Options|
eventtype=protocol Options|
eventtype=ps os process ps report success Options|
eventtype=top os process report success top Options|
eventtype=unix-all-logs Options|
eventtype=usersWithLoginPrivs Options|
eventtype=vmstat memory report resource success vmstat Options|
eventtype=who Options

0 Karma

stech169
New Member

You've probably already figured this out but I'm just adding this because I had the same issue. If you just comment out the stanza for [unix-all-logs] in //etc/app/unix/default/eventtypes.conf, you don't get any eventtypes for device syslogs. Or look at the stanza for [unix-all-logs] and remove the search parameters that would hit your device syslog files.

In unix app 4.5, I modified as follows:

OLD:
[nix-all-logs]
search = source=".log" OR source=".log." OR source="/log/" OR source="/var/adm/" OR source="access*" OR source="error" OR sourcetype="syslo*" NOT source=usersWithLoginPrivs NOT sourcetype=lastlog

NEW:
[nix-all-logs]
search = source="/var/adm/" OR source="access" OR source="error" NOT source=usersWithLoginPrivs NOT sourcetype=lastlog

0 Karma

yaraslau_haradz
New Member

Helped me to get rid of "unix-all-logs" eventtypes:
1) move "unix" app from folder etc/apps
2) restart splunk
3) copy "unix" app back to etc/apps folder
4) restart splunk

0 Karma

fisk12
Path Finder

Anyone have any idea?

0 Karma

fisk12
Path Finder

Cool, did the trick, almost :) I managed to get rid of all the events except unix-all-logs, right now there is a part of my config that looks like this.

search = source="log" OR source="var" OR sourcetype="syslog*" NOT source=usersWithLoginPrivs NOT sourcetype=lastlog dispatch.earliest_time = -15m

[unix-all-configs] search = source="/etc/" OR source=".conf" OR source="*.cfg"

[unix-errors-or-critical] search = index="os" = eventtype="unix-all-logs" error OR critical

How should i set this to get rid of the "unix-all-logs" event?

0 Karma

fisk12
Path Finder

Anyone have any ideas?

0 Karma

southeringtonp
Motivator

The unix app has a known issue with incorrectly defined eventtypes.

Take a look at this thread:
      http://answers.splunk.com/questions/9194/results-returning-wrong-eventtypes

The gist is that you need to override each of the affected eventtypes and add the missing search= before the search strings.

Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...